|United States Patent||8,020,207|
|Chow , et al.||September 13, 2011|
A malware detection and response system based on traffic pattern anomalies detection is provided, whereby packets associated with a variety of protocols on each port of a network element are counted distinctly for each direction. Such packets include: ARP requests, TCP/SYN requests and acknowledgements, TCP/RST packets, DNS/NETBEUI name lookups, out-going ICMP packets, UDP packets, etc. When a packet causes an individual count or combination of counts to exceed a threshold, appropriate action is taken. The system can be incorporated into the fast path, that is, the data plane, enabling communications systems such as switches, routers, and DSLAMs to have built-in security at a very low cost.
|Inventors:||Chow; Stanley TaiHai (Ottawa, CA), Robert; Jean-Marc (Montreal, CA), McNamee; Kevin (Ottawa, CA), Wiemer; Douglas (Ashton, CA), McFarlane; Bradley Kenneth (Ottawa, CA)|
|Filed:||January 23, 2007|
|Current U.S. Class:||726/22 ; 713/194; 726/11; 726/13; 726/23; 726/24; 726/25|
|Current International Class:||G06F 12/14 (20060101)|
|Field of Search:||709/223,224 726/11,13,22-25 713/194|
|5170391||December 1992||Arnold et al.|
|7490350||February 2009||Murotake et al.|
|2004/0054925||March 2004||Etheridge et al.|
|2006/0174342||August 2006||Zaheer et al.|
|WO 2006-081507||Aug., 2006||WO|
|WO 2006-103337||Oct., 2006||WO|
Whyte, et al., ARP-based Detection of Scanning Worms Within an Enterprise Network, pp. 1-15. cited by other .
Whyte, et al., DNS-based Detection of Scanning Worms in an Enterprise Network, Aug. 24, 2004, pp. 1-17. cited by other .
Oorschot, et al., A monitoring system for detecting repeated packets with applications to computer worms, Int. J. Inf. Secur. (2006) Mar. 8, 2006, Springer-Verlag. cited by other .
Jiang, et al., An Improved Real-Time Traffic Flow Monitoring Scheme, National University of Singapore. cited by other .
Mirkovic, J. "D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks" 2003, XPOO7906244, Unv. of Cali. USA http://lasr.cs.ucla.edu/ddos/dward-thesis.pdf. cited by other.